Following Equifax Hack, AG and Legislators Announce Legislation to Protect Mass. Consumers

BOSTON – Attorney General Maura Healey announced on Monday her support for legislation filed by Representative Jennifer Benson (D-Lunenburg) and Senator Barbara L’Italien (D-Andover) that will better protect consumers from data breaches like the recent hack of Equifax data.

The legislation, An Act Removing Fees for Security Freezes and Disclosures of Consumer Credit Reports (S.130/H.134), will help consumers by eliminating fees and establishing a procedure for placing credit freezes, and mandating encryption of personal information in credit reports, as well as requiring that companies obtain consent before accessing or using consumer credit reports and credit scores.

The bill – originally filed in January, with additional language introduced today at the State House is sponsored by Senator Barbara L’Italien and State Representative Jennifer Benson. Attorney General Maura Healey’s office assisted in drafting the updated language to provide additional protections for consumers affected by a breach.

 “For too long, protecting consumers has been an afterthought for Equifax and other credit reporting agencies,” said the Attorney General. “This bill will give Massachusetts residents control over their personal data and help fix a system that needed reform long before the Equifax breach. I am proud to join with Senator L’Italien and Representative Benson as Massachusetts leads the charge for our country’s consumers.”

AG Healey will testify before the Joint Committee on Consumer Protection and Professional Licensure tomorrow in support of the bill and ask the Committee to incorporate the additional consumer protections proposed today.

“I welcome the Attorney General’s support of this important legislation,” said Representative Benson, Chair of the Joint Committee on State Administration and Regulatory Oversight. “I filed this bill to protect victims of identity theft, and in collaboration with the Attorney General and Chairwoman L’Italien, we’ve made the language even stronger to provide further consumer protections.”

“I am proud to stand today in collaboration with the Attorney General and Rep. Jen Benson to discuss enhanced consumer protections for all residents of our Commonwealth,” said Senator L’Italien. “With the Equifax breach we learned how easy it is for our personal information to be compromised, and the urgency of ensuring additional protection for consumers and our credit and financial information.”

“Equifax’s massive security breach exposed that not only did they throw away the lock and lose the key to safeguarding our information, but when we asked them to secure it, with a credit freeze, they wanted to charge us and make a profit off of their extreme negligence,” said Deirdre Cummings, Legislative Director with MASSPIRG. “We have a terrific opportunity and obligation to pass a strong reform bill, and we should do it now.”

The updated legislation helps consumers in Massachusetts in a number of ways:

  1. Consent: Any company seeking to obtain or use a consumer’s credit report or credit score will need the written consent of the consumer and must disclose the reason for seeking access to the information.
  2. Credit Freeze: The bill would allow consumers to place and lift a credit freeze on their files at any time, for free. Unlike credit monitoring (which alerts you after potential identity theft has already occurred), a credit freeze makes it harder for someone to open a new account in your name. The new legislation will require the credit reporting agencies to put in place a simple, one-stop shop for freezing and unfreezing your credit reports.
  3. Credit reports: The bill will require each credit reporting agency to provide extra access to free credit reports to consumers impacted by a breach. Under federal law, consumers only get access to one free credit report per year, but under the new legislation, affected consumers will be entitled to no less than three free copies from each agency after a data breach.
  4. Credit monitoring: If the breach occurs at a consumer reporting agency – like Equifax – the bill requires it to provide five years of free credit monitoring to affected consumers.
  5. Encryption: The bill will require that all agencies encrypt personal information contained in consumer credit reports to enhance the security, confidentiality and integrity of personal information.

According to Equifax, the breach reported earlier this month potentially compromised the personal information of 143 million consumers nationwide, including nearly three million Massachusetts consumers. Following the breach, AG Healey launched an immediate investigation and filed a lawsuit last week against Equifax alleging that it did not maintain the appropriate safeguards to protect consumer data in violation of Massachusetts consumer protection and data privacy laws and regulations. The AG’s Office also issued guidance for consumers in the wake of the data breach.

Equifax is a consumer reporting agency that businesses rely on to make decisions about the credit worthiness of consumers, therefore affecting whether consumers can buy a house, acquire a loan, lease a vehicle, or even get a job. Currently, consumers have little to no control over the information about them that Equifax acquires.